Best Practices
- ApexAssertionsShouldIncludeMessage: The second parameter of System.assert/third parameter of System.assertEquals/System.assertNotEqua…
- ApexUnitTestClassShouldHaveAsserts: Apex unit tests should include at least one assertion. This makes the tests more robust, and usi…
- ApexUnitTestMethodShouldHaveIsTestAnnotation: Apex test methods should have ‘@isTest’ annotation instead of the ‘testMethod’ keyword, as ‘testM…
- ApexUnitTestShouldNotUseSeeAllDataTrue: Apex unit tests should not use @isTest(seeAllData=true) because it opens up the existing database…
- AvoidGlobalModifier: Global classes should be avoided (especially in managed packages) as they can never be deleted or…
- AvoidLogicInTrigger: As triggers do not allow methods like regular classes they are less flexible and suited to apply …
- DebugsShouldUseLoggingLevel: The first parameter of System.debug, when using the signature with two parameters, is a LoggingLe…
- UnusedLocalVariable: Detects when a local variable is declared and/or assigned but not used.
Code Style
- ClassNamingConventions: Configurable naming conventions for type declarations. This rule reports type declara…
- FieldDeclarationsShouldBeAtStart: Field declarations should appear before method declarations within a class.
- FieldNamingConventions: Configurable naming conventions for field declarations. This rule reports variable declarations …
- ForLoopsMustUseBraces: Avoid using ‘for’ statements without using surrounding braces. If the code formatting or indentat…
- FormalParameterNamingConventions: Configurable naming conventions for formal parameters of methods. This rule reports f…
- IfElseStmtsMustUseBraces: Avoid using if..else statements without using surrounding braces. If the code formatting or inden…
- IfStmtsMustUseBraces: Avoid using if statements without using braces to surround the code block. If the code formatting…
- LocalVariableNamingConventions: Configurable naming conventions for local variable declarations. This rule reports va…
- MethodNamingConventions: Configurable naming conventions for method declarations. This rule reports method dec…
- OneDeclarationPerLine: Apex allows the use of several variables declaration of the same type on one line. However, it ca…
- PropertyNamingConventions: Configurable naming conventions for property declarations. This rule reports property…
- VariableNamingConventions: Deprecated A variable naming conventions rule - customize this to your liking. Currently, it checks for fin…
- WhileLoopsMustUseBraces: Avoid using ‘while’ statements without using braces to surround the code block. If the code forma…
Design
- AvoidDeeplyNestedIfStmts: Avoid creating deeply nested if-then statements since they are harder to read and error-prone to …
- CognitiveComplexity: Methods that are highly complex are difficult to read and more costly to maintain. If you include…
- CyclomaticComplexity: The complexity of methods directly affects maintenance costs and readability. Concentrating too m…
- ExcessiveClassLength: Excessive class file lengths are usually indications that the class may be burdened with excessiv…
- ExcessiveParameterList: Methods with numerous parameters are a challenge to maintain, especially if most of them share th…
- ExcessivePublicCount: Classes with large numbers of public methods and attributes require disproportionate testing effo…
- NcssConstructorCount: This rule uses the NCSS (Non-Commenting Source Statements) algorithm to determine the number of l…
- NcssMethodCount: This rule uses the NCSS (Non-Commenting Source Statements) algorithm to determine the number of l…
- NcssTypeCount: This rule uses the NCSS (Non-Commenting Source Statements) algorithm to determine the number of l…
- StdCyclomaticComplexity: Complexity directly affects maintenance costs is determined by the number of decision points in a…
- TooManyFields: Classes that have too many fields can become unwieldy and could be redesigned to have fewer field…
Documentation
- ApexDoc: This rule validates that: ApexDoc comments are present for classes, methods, and properties th…
Error Prone
- ApexCSRF: Having DML operations in Apex class constructor or initializers can have unexpected side effects:…
- AvoidDirectAccessTriggerMap: Avoid directly accessing Trigger.old and Trigger.new as it can lead to a bug. Triggers should be …
- AvoidHardcodingId: When deploying Apex code between sandbox and production environments, or installing Force.com App…
- AvoidNonExistentAnnotations: Apex supported non existent annotations for legacy reasons. In the future, use of suc…
- EmptyCatchBlock: Empty Catch Block finds instances where an exception is caught, but nothing is done. In most circ…
- EmptyIfStmt: Empty If Statement finds instances where a condition is checked but nothing is done about it.
- EmptyStatementBlock: Empty block statements serve no purpose and should be removed.
- EmptyTryOrFinallyBlock: Avoid empty try or finally blocks - what’s the point?
- EmptyWhileStmt: Empty While Statement finds all instances where a while statement does nothing. If it is a timing…
- InaccessibleAuraEnabledGetter: In the Summer ‘21 release, a mandatory security update enforces access modifiers on Apex properti…
- MethodWithSameNameAsEnclosingClass: Non-constructor methods should not have the same name as the enclosing class.
- OverrideBothEqualsAndHashcode: Override both ‘public Boolean equals(Object obj)’, and ‘public Integer hashCode()’, or override n…
- TestMethodsMustBeInTestClasses: Test methods marked as a testMethod or annotated with @IsTest, but not residing in a te…
Performance
- AvoidDebugStatements: Debug statements contribute to longer transactions and consume Apex CPU time even when debug logs…
- AvoidDmlStatementsInLoops: Deprecated Avoid DML statements inside loops to avoid hitting the DML governor limit. Instead, try to batch …
- AvoidSoqlInLoops: Deprecated New objects created within loops should be checked to see if they can created outside them and re…
- AvoidSoslInLoops: Deprecated Sosl calls within loops can cause governor limit exceptions. This rule is deprecated and will be …
- OperationWithLimitsInLoop: Database class methods, DML operations, SOQL queries, SOSL queries, Approval class methods, Email…
Security
- ApexBadCrypto: The rule makes sure you are using randomly generated IVs and keys for ‘Crypto’ calls. Hard-wiring…
- ApexCRUDViolation: The rule validates you are checking for access permissions before a SOQL/SOSL/DML operation. Sinc…
- ApexCSRF: Deprecated The rule has been moved to another ruleset. Use instead ApexCSRF.
- ApexDangerousMethods: Checks against calling dangerous methods. For the time being, it reports: Against ‘FinancialForc…
- ApexInsecureEndpoint: Checks against accessing endpoints under plain http. You should always use https for security.
- ApexOpenRedirect: Checks against redirects to user-controlled locations. This prevents attackers from redirecting u…
- ApexSharingViolations: Detect classes declared without explicit sharing mode if DML methods are used. This forces the de…
- ApexSOQLInjection: Detects the usage of untrusted / unescaped variables in DML queries.
- ApexSuggestUsingNamedCred: Detects hardcoded credentials used in requests to an endpoint. You should refrain from hardcoding…
- ApexXSSFromEscapeFalse: Reports on calls to ‘addError’ with disabled escaping. The message passed to ‘addError’ will be d…
- ApexXSSFromURLParam: Makes sure that all values obtained from URL parameters are properly escaped / sanitized to avoid…
Additional rulesets
-
ApexUnit (
rulesets/apex/apexunit.xml
):Deprecated This ruleset is for backwards compatibility.
It contains the following rules:
ApexUnitTestClassShouldHaveAsserts, ApexUnitTestShouldNotUseSeeAllDataTrue
-
Braces (
rulesets/apex/braces.xml
):Deprecated This ruleset is for backwards compatibility.
It contains the following rules:
ForLoopsMustUseBraces, IfElseStmtsMustUseBraces, IfStmtsMustUseBraces, WhileLoopsMustUseBraces
-
Complexity (
rulesets/apex/complexity.xml
):Deprecated This ruleset is for backwards compatibility.
It contains the following rules:
AvoidDeeplyNestedIfStmts, ExcessiveClassLength, ExcessiveParameterList, ExcessivePublicCount, NcssConstructorCount, NcssMethodCount, NcssTypeCount, StdCyclomaticComplexity, TooManyFields
-
Default ruleset used by the CodeClimate Engine for Salesforce.com Apex (
rulesets/apex/ruleset.xml
):Deprecated This ruleset is for backwards compatibility.
It contains the following rules:
ApexBadCrypto, ApexCRUDViolation, ApexCSRF, ApexDangerousMethods, ApexDoc, ApexInsecureEndpoint, ApexOpenRedirect, ApexSharingViolations, ApexSOQLInjection, ApexSuggestUsingNamedCred, ApexUnitTestClassShouldHaveAsserts, ApexUnitTestShouldNotUseSeeAllDataTrue, ApexXSSFromEscapeFalse, ApexXSSFromURLParam, AvoidDeeplyNestedIfStmts, AvoidDirectAccessTriggerMap, AvoidDmlStatementsInLoops, AvoidGlobalModifier, AvoidHardcodingId, AvoidLogicInTrigger, AvoidNonExistentAnnotations, AvoidSoqlInLoops, AvoidSoslInLoops, ClassNamingConventions, CyclomaticComplexity, EmptyCatchBlock, EmptyIfStmt, EmptyStatementBlock, EmptyTryOrFinallyBlock, EmptyWhileStmt, ExcessiveClassLength, ExcessiveParameterList, ExcessivePublicCount, ForLoopsMustUseBraces, IfElseStmtsMustUseBraces, IfStmtsMustUseBraces, MethodNamingConventions, MethodWithSameNameAsEnclosingClass, NcssConstructorCount, NcssMethodCount, NcssTypeCount, OneDeclarationPerLine, StdCyclomaticComplexity, TooManyFields, VariableNamingConventions, WhileLoopsMustUseBraces
-
Empty Code (
rulesets/apex/empty.xml
):Deprecated This ruleset is for backwards compatibility.
It contains the following rules:
EmptyCatchBlock, EmptyIfStmt, EmptyStatementBlock, EmptyTryOrFinallyBlock, EmptyWhileStmt
-
Metrics temporary ruleset (
rulesets/apex/metrics.xml
):Deprecated This ruleset is for backwards compatibility.
It contains the following rules:
-
Performance (
rulesets/apex/performance.xml
):Deprecated This ruleset is for backwards compatibility.
It contains the following rules:
AvoidDmlStatementsInLoops, AvoidSoqlInLoops, AvoidSoslInLoops
-
quickstart (
rulesets/apex/quickstart.xml
):Quickstart configuration of PMD for Salesforce.com Apex. Includes the rules that are most likely to apply everywhere.
It contains the following rules:
ApexBadCrypto, ApexCRUDViolation, ApexCSRF, ApexDangerousMethods, ApexDoc, ApexInsecureEndpoint, ApexOpenRedirect, ApexSharingViolations, ApexSOQLInjection, ApexSuggestUsingNamedCred, ApexUnitTestClassShouldHaveAsserts, ApexUnitTestShouldNotUseSeeAllDataTrue, ApexXSSFromEscapeFalse, ApexXSSFromURLParam, AvoidDeeplyNestedIfStmts, AvoidDirectAccessTriggerMap, AvoidGlobalModifier, AvoidHardcodingId, AvoidLogicInTrigger, AvoidNonExistentAnnotations, ClassNamingConventions, CyclomaticComplexity, DebugsShouldUseLoggingLevel, EmptyCatchBlock, EmptyIfStmt, EmptyStatementBlock, EmptyTryOrFinallyBlock, EmptyWhileStmt, ExcessiveClassLength, ExcessiveParameterList, ExcessivePublicCount, FieldNamingConventions, ForLoopsMustUseBraces, FormalParameterNamingConventions, IfElseStmtsMustUseBraces, IfStmtsMustUseBraces, LocalVariableNamingConventions, MethodNamingConventions, MethodWithSameNameAsEnclosingClass, NcssConstructorCount, NcssMethodCount, NcssTypeCount, OneDeclarationPerLine, OperationWithLimitsInLoop, PropertyNamingConventions, StdCyclomaticComplexity, TooManyFields, WhileLoopsMustUseBraces
-
Security (
rulesets/apex/security.xml
):Deprecated This ruleset is for backwards compatibility.
It contains the following rules:
ApexBadCrypto, ApexCRUDViolation, ApexCSRF, ApexDangerousMethods, ApexInsecureEndpoint, ApexOpenRedirect, ApexSharingViolations, ApexSOQLInjection, ApexSuggestUsingNamedCred, ApexXSSFromEscapeFalse, ApexXSSFromURLParam
-
Style (
rulesets/apex/style.xml
):Deprecated This ruleset is for backwards compatibility.
It contains the following rules:
AvoidDirectAccessTriggerMap, AvoidGlobalModifier, AvoidHardcodingId, AvoidLogicInTrigger, ClassNamingConventions, MethodNamingConventions, MethodWithSameNameAsEnclosingClass, VariableNamingConventions